Review: Patch Tuesday September 2016

BeyondTrust Research Team, September 14th, 2016

Patch Tuesday

This Patch Tuesday introduces seven critical and seven important bulletins amounting to a total of 14 bulletins. Overall, 47 vulnerabilities were addressed making this a fairly hefty patch cycle.

MS16-104: Cumulative Security Update for Internet Explorer (3183038)

Kicking off the month, Internet Explorer is patched for five memory corruptions, an elevation of privilege, three information disclosures, and a security feature bypass. The memory corruption vulnerabilities are the most severe issues, as they can allow a remote attacker to execute arbitrary code. To exploit this vulnerability, an attacker would host a malicious webpage and entice a victim to browse to it.

MS16-105: Cumulative Security Update for Microsoft Edge (3183043)

Next up is Edge, which is patched for similar issues to those that plagued IE – seven memory corruptions and five information disclosure vulnerabilities, making this a critically-rated bulletin. While it is good to see security issues being addressed in Edge, it is disheartening to see it suffer from more critical vulnerabilities than its predecessor on Patch Tuesday.

MS16-106: Security Update for Microsoft Graphics Component (3185848)

This critically-rated bulletin resolves three elevation of privilege vulnerabilities, an information disclosure, and a remote code execution vulnerability. Since these vulnerabilities exist within the Kernel, exercising least-privilege does not help to mitigate the impact. Full system compromise is possible, making this a high-priority update.

MS16-107: Security Update for Microsoft Office (3185852)

Office is patched for ten memory corruptions, an ASLR bypass, an information disclosure, and a spoofing vulnerability. The most severe vulnerability types, the memory corruption vulnerabilities, occur due to improperly handling objects in memory which can lead to code execution. Additionally, the ASLR bypass vulnerability only applies to click-to-run type installations.

MS16-108: Security Update for Microsoft Exchange Server (3185883)

Microsoft Exchange Server returns to our radar with modest vulnerabilities that allow for Information Disclosure, Spoofing, and Elevation of Privilege. In addition, there are multiple vulnerabilities in third-party code, “Oracle Outside In libraries” but Microsoft is releasing this update to ensure that all customers using the third-party code are protected. The vulnerabilities in the third-party code can result in Remote Code Execution, Denial of Service, and Information Disclosure.

MS16-109: Security Update for Silverlight (3182373)

A vulnerability exists in Silverlight that could allow an attacker to execute arbitrary code on a system if a user visits a malicious website.  The flaw stems from Silverlight improperly handling objects in memory, allowing attacker to corrupt system memory and gain the same access as the current user.  If that user has administrative rights, an attacker could take complete control of the system.

MS16-110: Security Update for Microsoft Windows (3178467)

This bulletin addresses vulnerabilities in all versions of Microsoft Windows excluding Itanium-based servers. There have been multiple vulnerabilities reported, the most extreme of which would allow an attacker to craft a request that could execute arbitrary code with elevated privileges.  Other vulnerabilities include information disclosure, remote code execution, and denial of service.  Microsoft corrected issues with how Windows enforces permissions, NT Lan Manager single sign-on, and handling objects in memory.

MS16-111: Security Update for Windows Kernel (3186973)

The Windows Kernel makes its routine visit on Patch Tuesday with multiple vulnerabilities. Each of the vulnerabilities in Windows Kernel can result in Elevation of Privilege. An attacker exploiting this vulnerability could impersonate processes, inject cross-process communication, interrupt system functionality, and gain access to user account information.

MS16-112: Security Update for Windows Lock Screen (3178469)

An issue has been resolved in windows that allowed an attacker to elevate of privileges from the windows lock screen.  An Attacker could connect a malicious wifi hotspot or connect a broadband adapter to computer and load web content.  Microsoft corrected the issue by fixing the behavior of the lock screen.

MS16-113: Security Update for Windows Secure Kernel Mode (3185876)

It has been found that Windows Secure Kernel Mode improperly handles objects in memory.  The memory corruption leaks information to the attacker, and the attacker could combine this with additional vulnerabilities to further exploit the system. While this is not a complete compromise of the system, the sensitivity of the content contained in Windows Secure Kernel Mode makes any information leak a powerful tool in an attacker’s hands.

MS16-114: Security Update for Windows SMBv1 Server (3185879)

A Microsoft Server Message Block 1.0 (SMBv1) vulnerability has been discovered that stems from when an attacker sends a specially crafted packet to a SMBv1 server.  This vulnerability only effects the 1.0 version of SMB.  For this vulnerability to be successfully exploited, an attacker has to be authenticated with the server and have permissions to open files on the target.  This was addressed by changing how SMB handles specially crafted requests.

MS16-115: Security Update for Microsoft Windows PDF Library (3188733)

Microsoft Windows PDF Library makes an appearance in this month’s Patch Tuesday. The library contains two Information Disclosure vulnerabilities. The Information disclosure vulnerabilities revolve around how the library handles objects in memory, and if the attacker crafts a malicious PDF the attacker could read the leaked information from memory. In order to exploit this vulnerability the attacker would have to lure the victim to a web page hosting the malicious PDF, or trick the user into opening the PDF locally within edge.

MS16-116: Security Update in OLE Automation for VBScript Scripting Engine (3188724)

OLE Automation for VBScript Scripting Engine contains a remote code execution vulnerability. The vulnerability revolved around how the VBScript Scripting Engine in Internet Explorer accesses objects in memory. By exploiting this vulnerability, the attacker could corrupt memory such that code could be executed within the context of the local user. If the user is logged in with administrative rights, the attacker could control the affected system.

MS16-117: Security Update for Adobe Flash Player (3188128)

Adobe Flash Player contains critical vulnerabilities that could be used to execute arbitrary code on the target system. This update addresses the vulnerabilities that are described in APSB16-29 from Adobe. In order to exploit these vulnerabilities an attacker would have to lure a victim to a compromised website with malicious content designed to take advantage of these vulnerabilities.